Creating IPS Policy Rules
Before You Begin
Read the Understanding IPS Policies topic.
Read the Understanding IPS Policy Templates topic.
Create IPS policies and IPS policy templates. See Creating IPS Policies and Creating IPS Policy Templates.
Use this page to create intrusion prevention system (IPS) rules that define actions to be taken when the matching traffic pattern is found. You can add, edit, or delete rules to an IPS policy.
You can use the predefined IPS templates while creating an IPS policy. These templates contain rules that use default actions associated with attack objects. You can customize these templates to work on your network by selecting your own source and destination addresses and choosing IPS actions that reflect your security needs.
IPS rules protect your network from attacks by using attack objects to detect known and unknown attacks based on stateful signature and protocol anomalies. IPS exempt rules prevent unnecessary alarms from being generated.
To configure an IPS policy rule:
- Select Configure > IPS Policy > Policies > or Templates.
- Click the Add Rules link in the created policy.
- Click Create and then select IPS Rule or Exempt Rule.
- Complete the configuration according to the guidelines provided in Table 1 and Table 2.
- Click Publish.
A new IPS rule with your configuration is created. You can use this rule in an IPS policy or an IPS policy template.
Settings |
Guidelines |
---|---|
Name |
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters. |
IPS Type |
Display the rule of the specified type. For example, IPS, Exempt. |
Src. Zone |
Click the Source Zone field and configure the source zone editor settings. |
Source Zone Editor |
|
Zone |
Select any zone for the source. You can also use zone exceptions to specify unique to zones for each device. Specify any to monitor network traffic originating from any zone. The default value is any. |
Src. Address |
Click the Source Address field and configure the source address settings. |
Source Address |
|
Address Selection |
Include or exclude addresses from the selected address list for the rule. You can also select to include any of the IP addresses of the source objects. |
Addresses |
Select one or more available IP addresses from the Available column to include in the selected list for the rule. |
Add New Source Address |
Click the button to add a new source address. |
Dest. Zone |
Click the Destination Zone field and configure the destination zone editor settings. |
Destination Zone Editor |
|
Zone |
Select any zone for the destination. You can also use zone exceptions to specify unique from zones for each device. Specify any to monitor network traffic to any zone. The default value is any. |
Dest. Address |
Click the Destination Address field and configure the destination address settings. |
Destination Address |
|
Address Selection |
Include or exclude addresses from the selected address list for the rule. You can also select to include any of the IP addresses of the source objects. |
Addresses |
Select one or more available IP addresses from the Available column to include in the selected list for the policy rule. |
Add New Destination Address |
Click the button to add a new destination address. |
Service |
Click the Service field and configure the service editor settings. |
Service Editor |
|
Services |
Select an available services for the policy rule. For example:
The default value is Default.A service in Security Director refers to an application on a device, such as Domain Name System (DNS). Services are based on protocols and ports and when added to a policy can be applied across all devices managed by Security Director. |
Add New Service |
Click the button to add a new service. |
IPS Signature |
Click the IPS Signature field and configure the IPS signature settings. |
IPS Signature |
|
IPS Signatures |
Select one or more available IPS signatures from the Available column to include in the selected list for the policy rule. |
Add New IPS Signature |
Click the button to add a new IPS signature. |
Action |
Click the Action field and configure the action settings. |
Action |
|
Action |
Select an option for the action you want IPS to take when the monitored traffic matches the attack objects specified in the rules:
Note:
The DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets. |
Notification Opt. |
Click the Notification field and configure the notification settings. |
Notification Opt. |
|
Attack Logging |
Enable this option to log attacks. |
Alert Flag |
Enable this option to add an alert flag to an attack log. |
Log Packets |
Enable this option to log packet capture when a rule matches. |
Packets Before |
Enter the number of packets processed before the attack is captured. |
Packets After |
Enter the number of packets processed after the attack is captured. |
Post Window Timeout |
Enter the time limit for capturing post-attack packets for a session. No packet capture is conducted after the timeout has expired. Range is from 0 through 1800 seconds. |
IP Action Opt. |
Click the IP Action field and configure the IP action settings. |
IP Action Opt. |
|
IP Action |
Select an option to apply actions on future connections that use the same IP action attributes:
|
IP Target |
Select an option to block future connections:
|
Refresh Timeout |
Enable this option to refresh the IP action timeout so it does not expire when future connections match the IP action filter. |
Timeout Value |
Enter the number of seconds that you want the IP action to remain in effect after a traffic match. Default value is 0 seconds and the range is from 0 through 64,800 seconds. |
Log Taken |
Enable this option to log information about the IP action against the traffic that matches a rule. |
Log Creation |
Enable this option to generate a log event on the IP action filter. |
Additional Opt. |
Click the Additional field and configure the additional settings. |
Additional Opt. |
|
Severity |
Select a severity level to override the inherited attack severity in the rules. Levels, in order of increasing severity, are info, warning, minor, major, and critical. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems. |
Terminal |
Enable this option to set a terminal rule flag. The device stops matching rules for a session when a terminal rule is matched. |
Description |
Enter a description for the IPS policy rule; maximum length is 4096 characters. |
Settings |
Guidelines |
---|---|
Name |
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters. |
IPS Type |
Display the rule of the specified type. For example, IPS, Exempt. |
IPS Signature |
Click the IPS Signature field and configure the IPS signature settings. |
IPS Signature |
|
IPS Signatures |
Select one or more available IPS signatures from the Available column to include in the selected list for the policy rule. |
Add New IPS Signature |
Click the button to add a new IPS signature. |
Action |
Click the Action field and configure the action settings. |
Action |
|
Action |
Select an option for the action you want IPS to take when the monitored traffic matches the attack objects specified in the rules:
Note:
The DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets. |
Notification Opt. |
Click the Notification field and configure the notification settings. |
Notification Opt. |
|
Attack Logging |
Enable this option to log attacks. |
Alert Flag |
Enable this option to add an alert flag to an attack log. |
Log Packets |
Enable this option to log packet capture when a rule matches. |
Packets Before |
Enter the number of packets processed before the attack is captured. |
Packets After |
Enter the number of packets processed after the attack is captured. |
Post Window Timeout |
Enter the time limit for capturing post-attack packets for a session. No packet capture is conducted after the timeout has expired. Range is from 0 through 1800 seconds. |
IP Action Opt. |
Click the IP Action field and configure the IP action settings. |
IP Action Opt. |
|
IP Action |
Select an option to apply actions on future connections that use the same IP action attributes:
|
IP Target |
Select an option to block future connections:
|
Refresh Timeout |
Enable this option to refresh the IP action timeout so it does not expire when future connections match the IP action filter. |
Timeout Value |
Enter the number of seconds that you want the IP action to remain in effect after a traffic match. Default value is 0 seconds and the range is from 0 through 64,800 seconds. |
Log Taken |
Enable this option to log information about the IP action against the traffic that matches a rule. |
Log Creation |
Enable this option to generate a log event on the IP action filter. |
Additional Opt. |
Click the Additional field and configure the additional settings. |
Additional Opt. |
|
Severity |
Select a severity level to override the inherited attack severity in the rules. Levels, in order of increasing severity, are info, warning, minor, major, and critical. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems. |
Terminal |
Enable this option to set a terminal rule flag. The device stops matching rules for a session when a terminal rule is matched. |
Description |
Enter a description for the IPS policy rule; maximum length is 1024 characters. |